You
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
OK.
On this slide, what we're going to do is we're going to look at audit goals, and we're going to cross-reference audit goals to what you want to look at.
So if you want to justify resources, I think somebody said louder.
Justify resources, you want to look at rights to an app, you want to look at right events to an application or the use of print cues, diagnose problems, perform
problems you want to look at file opens related to application that is slow I'm
just going to hit the first two on each slide unless there's are any any
questions next what we're going to look at is try to cross-reference the threats
to what you want to look at in the audit log the first intent type of threat
would be intrusion type break-ins using your random passwords crowbar etc
enable failure auditing for logon events that's obvious break-in using stolen
passwords you want to enable success auditing success on the success auditing
in this failure auditing both are very useful a lot of people think just
failure auditing is important so getting back to break in using stolen passwords
enable success auditing for
for login and log off events. Again, this doesn't mean that the person using the password
is the person who owns the password. You can never assume that. Look at unusual activity
like people logging on in the middle of the night, etc.
This kind of brings up a good point, though, is that this is information from, say, one
host or however many hosts you have auditing on. This is a key thing to use when you're
correlating information, whether if you've got an extra system to do the correlation
automatically for you or whether you have to look at the logs after the fact and try
and correlate between a couple different servers. A few of you out there are probably thinking
that, at least with NT, that auditing for a lot of this stuff does take up resources.
That's kind of where we're saying we're audit, in a sense. Operations, it's your job to provide
us this information. Processing power is cheap. Get more.
Just a...
Just a mindset difference.
It's a definite mindset difference.
Okay, what to audit, again, looking at threats. Improper access to sensitive files. You can
audit, enable success or failure auditing at the file level for sensitive files.
Now we're going to discuss, we're going to focus in on Windows NT, discuss the native
tools and some detects, etc.
This is what it looks like.
And this is an auditor's dream here. Everything turned on to audit. So this is something you
want to adjust for your environment, obviously.
There's nothing to audit if there's no audit trail. So that's why we...
What percentage of resources do you find audit like this would take?
It really depends upon the environment and what the server's doing. I mean, a PDC and
a BDC will be different than a server that's doing the same thing.
They're doing file and print serving. And, you know, something that's in HR is different
than something that's, say, you know, on a manufacturing floor or an R&D lab. So it
really depends upon what the server's purpose is and who's accessing it for what.
What is the default configuration?
Off.
Everything's off by default.
Everything is off?
All auditing is turned off by default when you start up, when you first install a server.
When you first install Windows NT.
This slide just elaborates on the previous slide, telling you what each of the different
auditing options does, log on, log off, of course, and there was success and failure.
Going back to the last slide, this process tracking is important to auditors, but it's
definitely a resource hog. You definitely don't want to turn that on if you're trying
to prove something, et cetera.
We'd like it on all the time, but...
Okay, this is what NT file auditing looks like. It's a different screen than the other
types of things.
This is what you audit.
This just says the types of things that are audited when you turn on file systems auditing.
For example, on the directory level, you can see displaying names of files in the
directory, displaying directory attributes. This all will show up in the logs.
This is kind of a laundry list of different things you could audit for, and if everything
was turned on, you would see these type of events.
The best use for this really is to say, okay, what is it that I want to see?
What events do I want to have an audit trail for?
Then based off of this, you can work backwards and determine which events that you actually
click in the dialog box to audit for.
This is how you look at the logs in Windows NT, something called Event Viewer.
And how do you make sense of it?
The native tool does have a filter option, but it's primitive.
And it also should be noted that...
We'll show where the logs are held later, but on Windows NT by default, because there
isn't a separate auditor from the administrator really, somebody that does have administrative
authority can tamper with the logs.
So you do have to take all that...
It's not an auditor's dream, no.
This is a sample of the event IDs in Windows NT, and later we'll tell you where to get
these event IDs.
My favorite, of course, 529, unknown username or bad password.
So let's look at a scenario.
This is a scenario.
When somebody comes along and tries to open Notepad.
This is with all auditing turned on.
So when somebody opens Notepad EXE and reads a file, a text file, these are the events
that will show up.
As you can see, the process opens.
It opens a text file.
And then, again, the process is exited.
When you halt Notepad.
Okay.
Back in the event viewer tool, if you would double-click on one of those events, you're
going to see more information on the event.
And this is a sample of what you'd see, like, for an event 560.
Okay.
Now, one thing is that the previous slide here, where you've got the different events,
if you've got a busy server, chances are these won't be directly in one order after another.
You'd have to hunt and find them.
And so that's where seeing the detail and opening up and looking at it, because you
can look at the handle ID numbers, and then you can match up which process it was, actually,
that did it.
Okay.
We're touching on third-party tools now.
Our favorite tool is BuyingView, really because it gives us independence of operations.
We don't have to be an investor.
We don't have to be an administrator on the box to look at the logs.
And it has good query capability.
Okay.
This is a simple trace.
I programmed BuyingView to tell me event, look for event 539, bad username or password.
And as you can see from the time of date, it's systematic.
And you can program BuyingView to look for all of these attributes.
This is a sample event correlation signature that you're going to have to look at different
boxes.
Again, with BuyingView, you can audit the entire enterprise from one workstation.
With the native tools, you really have to go to each, especially with NT, you have to
go to each workstation.
It's very time-consuming, excuse me, each server.
And what this shows is a login success, event 539.
The same person logging in from different machines at the same, at similar times.
I mean, he can't be in different geographical locations at the same time.
So it's, you know, definitely puts up a red flag.
This is, looks into the event description of a bad, unknown username or bad password.
But I wanted to type out in this.
Excuse me, point out in this description is the login type.
That's something with Windows NT that you can query in deeper and actually find out
what type of login.
And then the next slide actually tells you the type of login.
And, for example, did he log in from the network?
Was he sitting at the console itself?
Yes?
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
on an internal network, not an intranet site or anything like that. There wasn't the chance
for us to see that, so I can't answer that question.
This is a shortcoming of BindView for Windows NT. The internals of an event are all lumped
into one field, so it's hard to query specific attributes like logon type with BindView for
NT. Although it's a great auditing tool for Windows NT, it does have some shortcomings.
I just wanted to give you a warning. Types of NT logs. We were just talking about
the security log, but there's also an application log and a system log.
Some of the ways that you can try and get around this are to use a syslog type service
and pump the logs off to a remote server.
Then something I heard about at Black Hat during the HoneyNet presentation is if you
have a network intrusion detection system, Snort was the one used there, and you just
have it capturing all of the packets, if you see the syslog entries, essentially your IDS
is a passive logging system and can dump out all the syslog events.
You can actually have them in two places beyond just what's on the server itself.
It's something to consider.
It depends on the server.
It depends on how much you value these logs.
Again, these are the location of the logs, just in case you want to do something with
them.
This is a tool that comes with the NT resource kit. It's made by Crystal Reports and it's
really good for querying the logs.
The data within NT logs is very robust.
You can query archived event logs or as it's happening.
To do that, for those of you that haven't set up auditing on an NT server, actually
when you're setting up an event viewer, you set up the properties of how large each of
those three logs that we talked about, these three different logs.
You set how large they are, when they overwrite.
You can set up properties to have them archived to a different file and that's where this
comes into play.
Of course, this is one machine at a time, excuse me, one server at a time.
The machine, you can set it up for a halt on audit logs full or overwrite.
Of course, you know, we would like large audit files.
Job security.
Yeah.
This is, again, going through the fields of Crystal Reports for NT logs.
You can really get granular into the details of the events.
And this is a sample report if you want to present evidence to management, etc.
Now we're going to hit specific Novell NetWare.
Yes.
Yes, for certain purposes. That would be actually if you're doing an
audit on the security of Windows NT or you want to see something else.
But as far as this presentation's geared more towards, okay, you have a network that's running,
it's up. In our case, it's a very large network.
And there's a lot of things that are going on. So you just want to have the servers as
much as possible record information so you can look at it at a later date to see what's
going on in your network or to see if you've got problems.
But for doing something like a security audit, yes, using a law of crack or something like
that does have a lot of value. Of course, that would fill up logs very
quickly. Go ahead.
The question was what's the
– what is, in our example, the bank calling for retention. And that's really – it's
a corporate policy set at a high level. I actually don't remember what it is off the
top of my head. But that's a corporate policy decision.
What it looks like for – going on to looking at Novell, this is the AuditCon utility for
Novell. This is the first screen. You can set it up, of course, to have passwords or
to have a password for each auditor. And, of course, the system and administrator would
not have that password.
If the system and administrator has access to the top three, don't they?
No, the AuditCon utility works differently. Its authorization is not based upon the NDS
rights. It's very good in that perspective. It's, you know, you can't use it on your
Once you assign somebody the password for AuditCon, they have it, and the administrator's password doesn't override that.
It's locked in, and so it's very much a separate utility.
Okay, so this is the AuditCon screen.
It shows you how granular you can get.
This is audit by event, and then you pick file events or some other type of event.
Yeah, pardon the term.
A lot of ways, the network auditing, the ability to, the granularity you have, it's almost an auditor's wet dream in a sense
because you can audit just about every single thing that goes on.
Granted, it is a resource hog, and even just auditing a small number of things,
the network AuditCon utility is a resource hog across the network because network is chatty.
So this is something you really have to judge based upon your network.
You can also audit things that the administrator is doing, so to provide an oversight of the administrator.
Depends what he's doing.
Yeah, it depends what he's doing, but, for example, we've got a large network.
Multiple administrators because we've got multiple sites, so an attempt to do that because of the many containers.
I mean, you've got container-level administrative rights.
You've got overall tree administrative rights.
So it's actually quite a large undertaking to try and do that to watch what the administrators are doing.
But from an audit point, those guys are going to screw you, and that's the only thing.
You know, a lot of them, all the rest of them is sort of a moot point.
Yeah, and you're asking.
You're absolutely right, but that's some of the contention Audit runs into with operations.
Like we said earlier, we want to audit everything, but operations runs the network,
and that's where we can butt heads at times, and decisions have to be made as far as you know.
Because all security has a cost, whether it's a real dollars cost or a systems cost.
So that's, you know, it's risk management, deciding how much risk you want to accept,
how much you want to try and mitigate.
Again, this is looking at the AuditCon utility, looking at the available audit options.
Again, you can look at audit directory services.
This is a great change control tool for auditing directory services.
This is auditing by events.
Again, once you drill down to the actual thing you want to audit, it's an on-off.
This is auditing an individual user.
So again, if you want to audit the administrator, you would just pick his ID from the screen.
Yeah, just turn them on and off.
It's as simple as that.
This is, again, our favorite tool, BindView, for Novell auditing.
BindView puts all the attributes of operating systems into databases, as you can see.
Mind you, it's a robust tool.
It can do a lot, but this is just for auditing.
You end up using it.
Yeah, it's a really good tool, and when you have a large network enterprise,
if you have a mixed four and five, BindView is really good as far as being able to query across all the different servers
or different containers, getting what you want, really drilling down.
It does cost a lot of money, and the licensing is a little strange, but it's a very good tool.
Yes?
For NT, there are some.
Most of them, it's based upon really treating it like a syslog service and dumping it off the server
and then just using some sort of standard tool that will comb through your syslogs for certain events.
You've got to remember, also, from an auditor's point of view,
we need a tool that we do not have to be an administrator to use and run.
So a lot of the tools out there that are open source, you have to be an admin.
Again, this is similar to the Crystal Reports tool that you'd pick your fields, et cetera.
Scope is very important with BindView because you can run it against ten servers or a thousand servers all at once.
Very convenient.
No, not for NetWare.
BindView uses Novell's native query tools to do its work.
It's off.
There are none.
You have to set everything off.
It's on if you want.
Most of the time, from an auditing point of view,
99% of the time you say, could I see the logs?
And there are no logs.
This is the AuditCon tool, what you'd see if you actually wanted to view the events.
It's hard to work with.
That's why we use third-party tools.
And again, it's based on event ID, similar to NT.
Going back one, even if you clear the audit file, this is very important, there's going
to be an event that hits the audit log.
So we can note if there's any tampering with the audit log, et cetera.
What queries to run?
This is, you know, if you have time, this is a sample of some queries to run.
Failed log in attempts over a threshold, of course.
If there's ten duplicated attempts, et cetera, within a short period of time, then you know
that something may or may not be going on.
And this is where the power of BindView comes in really handy on a large network, because
you can basically program these in.
It's not going to work.
You can set a batch job to run, and it can just do this, and you can even set it up to
run on a weekly, a monthly basis, what have you, and then the reports are ready.
So you can run them on a weekend when it won't be as critical for your environment,
perhaps, and then you have the information to look at.
Again, you always want to look if the audit log was cleared.
For NDS, you want to look at creation, deletion of container objects or tree objects.
Okay.
Great.
What's number 12 on the list?
Abusive privileges would be like the system admin doing things, maybe looking at confidential
HR files, you know, that he has the ability to look at but shouldn't be looking at.
I'm unclear how BindView might, how you might write a query in BindView to find that.
You'd have to set auditing for that file.
Okay.
So, you can do that.
And then, with the, in the event internals, like with NT, when you double-click on an
event like with NT, and you actually see the file name that was opened.
Yeah, it's, BindView does have a small amount of querying features that you can put in there
to do specific things like this.
You can say, okay, you know, for the other file auditing that we have turned on for,
for administrator X, you know, tell me every time they've accessed this directory or any
files in this directory.
And that's the type of report that you, you could write.
It's, that's why it's down the list.
It's not an easy one, not something that you're going to do all the time.
You're going to get a lot of pushback, of course, from the administrator when you want
to turn this, turn these things on.
Nobody likes to be under surveillance, I guess.
Okay.
Great.
Thank you.
Unless there's no questions on this slide, we'll move on.
A correlation is also, I only can think of four, but I'm sure as, as looking at logs
grows as, as regulations like HIPAA, et cetera, come out that says you have to do logging
and monitoring, I see also looking at the market that new tools are coming out and new
techniques are coming out for looking at logs.
So this would be the, again, correlation.
It would be the same person logging into different physical locations of the network
at the same time, which is impossible, of course, so it's a red flag.
Different people signing into the same machine.
Paired events, let's say a person logs on, but you can't see if they logged off ever,
so that throws up a red flag.
New ideas are people are, I know there's, there's people out there looking to correlate
logs.
Logs, logs on the machine, on servers themselves like NetWare with firewalls and network transfer
layer IDS, et cetera.
This is something that is either limited only by your creativity or your budget, because
in addition to logs, we haven't touched host-based intrusion detection tools, but there are ones
that exist that you can put on these same servers that in a sense take some of this
logic for you and do the correlation with other host-based intrusion detection systems,
possibly with your network intrusion detection system and everything, so like I said, it's
limited either by your creativity or your budget on how well you do this.
Okay, BindView for NT and Novell advantages, this is my favorite, administrator access
not needed.
It will run in batch mode, so if you want to run it in the middle of the night, query
multiple machines at once.
It does all the work for you.
BindView itself has application security, so you can put a password on BindView so only
the auditor can use it, of course.
The disadvantage, sometimes, especially with NT, you have to export the data to a tool
like Access or even Excel to do more detailed auditing.
Okay.
Again, that was if BindView grouped the details of an event into a single field, it's very
difficult to parse it and audit it.
BindView can notify you if certain events occur, send you an email, et cetera.
And of course, doing Novell and NT with the same tool is very convenient.
And BindView also has tools for Unix and Microsoft Exchange.
Not that we're trying to plug them, but just to make sure.
It's showing one tool that you can use in multiple things on an internal network where
you're not doing a lot of web services or things like that.
It meets the criteria that an auditor needs.
Crystal Reports, another tool we touched on.
Advantage, of course, is more detailed auditing.
Disadvantage is, again, administrator access is needed on one machine at a time, very labor-intensive.
Reports to look at.
An after-hours report.
Okay.
Is one that should be reviewed on a regular basis.
That would be people logging in, logging off, or other events happening in the middle of
the night, et cetera.
Creation deletion of objects.
This touches on change control.
Auditors like to know when things are changed and who did them.
It's especially important in NDS because we didn't really talk about Windows 2000, but
since they do have ADS now.
That type of report on a Windows 2000, much like NetWare, is very important because knowing
what objects are created and deleted, because I know for me, personally, when I've done
some penetration on NetWare before, the first thing you do if you find a misconfigured
administrator is you grant yourself some rights and then you set yourself up another user
or another way for you to have your rights.
And then when you're done, you can delete it.
And something like that done in a short timeframe should set off some bells and whistles for
you.
Next one is a failed file access report.
That would be my admin looking at the HR files.
File attribute change report.
Intrusion detection report for Novell.
That would be a user being locked out because he tried to log in.
He banned the username and password over where you'd have intrusion detection set like five
times, et cetera.
Trustee assignment changes report.
User given supervisor equivalence, et cetera.
And the trustee assignment one is another key one because much like what I was saying
just before about if you do gain rights, because of the complexity of NDS, you can have a user
that's in a group that has administrative rights over the whole tree or to a container.
You can become a trustee.
You can become a full trustee of an administrator who's got the rights.
So if you become a full trustee of your administrator, you don't actually have the rights, but because
you are the trustee of the administrator, you can make yourself security equal to that
administrator any time you want and turn it off.
And so you can toggle back and forth quite frequently.
This is specific to Novell.
Bindery password changes report.
NDS.
The Novell directory system.
People changing their password in the tree.
Changes to the tree that we've already talked about.
NLM modules loaded, unloaded.
Volumes mounted, dismounted.
Again, Mike will talk about security equivalencies.
NT specific suggested reports are NT groups created, deleted, of course.
NT password changes.
NT policy changes.
Of course, you want to look.
If somebody's turning on and off the audit logs, you'd want to know about that.
Other considerations that are bleeding edge, I guess you could say, is remote logging and out-of-band logging.
Event correlation is what we touched on already.
You'll see that in the future.
Change control auditing from a protected baseline.
That's, again, looking at change control.
That's a real big one for us as auditors.
Because we like to know when things are changing and for what reason.
When you've got a large production environment, we've got a very formal change control process.
And this gives us a tool to go back and see if it's working like it's supposed to be.
Because when you have a large distributed network with a centralized change control management function,
they may approve and disprove when changes are going to go in.
But without something to go back and look, you don't know if it's an effective control or not.
.
That is something we would like to do.
It has not been implemented at this time.
But it would be something that we would love to be able to do.
.
At this point, it would have to be totally separate.
.
And, again, other types of auditing would be looking at network transfer layer auditing tools.
Such as somebody throws a packet at your machine with a port you don't have open, etc.
.
This is where you get event ID information straight off the manufacturer's website.
Novell.
That's the document number.
To get the event IDs.
And NT, you can get some off the website.
But they really get a complete database of them.
It comes with the NT resource kit.
And that's the file name that comes on the resource kit.
It's a Microsoft Access database.
But if you query Microsoft's knowledge base on their website,
you can get a pretty decent list of what things are.
.
They want you to buy.
.
Yeah, obviously they want you to buy the resource kit.
But it gives you an idea of, you know, for each event,
what are the different parameters that it's going to dump into the log for you.
So it gives you a little bit of an idea of when you're trying to find something that you haven't seen before.
To get more information for NT, again, the AutoCAD help file on the resource kit.
.
.
It's not a file, but it tells you what each option does on the native tools.
And gives you some description of what each event does.
NTObjectives.com is a good site.
Actually, it was a good site because JD Glasner is now a member of Foundstone.
The information that used to be on NT objectives is no longer there.
So that's one thing we need to fix on this.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
The DEFCON brochure, it flipped the certification list.
Bob's actually a certification whore.
That's why he's got a bunch of the GSEC stuff from SANS.
So, yeah, this originated from a SANS paper that they made me write for the GSEC.
So if you want to look at that paper, it's at sans.org.
And it's the same long-ass title as this presentation.
And there's our e-mail addresses if you have any questions on specific events, et cetera.
That's it.
Okay.
Thanks.
Thank you, everyone.
Is there any questions?
